Naziv
|
Fuzzing and observing application log data/errors for application mapping
|
Sažetak
|
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
|
Preduvjeti
|
The target application must fail to sanitize incoming messages adequately before processing.
|
Rješenja
|
["Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", "Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.", 'Implementation: Obfuscate server fields of HTTP response.', 'Implementation: Hide inner ordering of HTTP response header.', 'Implementation: Customizing HTTP error codes such as 404 or 500.', 'Implementation: Hide HTTP response header software information filed.', "Implementation: Hide cookie's software information filed.", "Implementation: Obfuscate database type in Database API's error message."]
|